BGP AS Path Filter Example

Hi Rene,

Will BGP AS Path Filter work if I have only one IP transit provider (default) and this provider doesn’t support any BGP communities? I want to announce my routes only to few my providers upstreams and to stop incoming traffic from others.

Hi Mikhail,

The AS path will always be in your BGP updates so yes, you don’t need communities for that.


Is there a show command for as-paths access-lists, or do you need to filter it out of the running config?

Hello Chris

The command show ip as-path access-list displays information about IP AS path access lists.

I hope this has been helpful!



please If I have below configuration , what does it do?

route-map CC-IN, deny, sequence 2
  Match clauses:
    as-path (as-path filter): 15 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes

show ip as-path-access-list 15
AS path access list 15
     permit ^39216$

  neighbor route-map CC-IN in

thanks for your support.

Hi Rawaz,

The first statement (sequence 2) denies everything in AS-path 15.

AS path access-list 15 matches only on AS number 39216, nothing else.

Your route-map, however, doesn’t have any permit statements, so because of the implicit (invisible) deny any, everything will be denied.

If your goal is to deny only whatever you have in AS path access-list 15, add an additional sequence number in your route-map. Something like:

route-map CC-IN permit 10

The things you then deny in sequence 2 are denied, and everything else will be permitted because of sequence 10 (which is empty which means it matches on everything).

Hope this helps!


Can AS-Path Prepend be used to influence incoming routes, outgoing routes, or both? Thank you

Hello Brian

AS-Path Prepend is used to influence incoming traffic. What it does is a router adds its own AS multiple times in the AS path, thus making this path appear longer, and thus less favourable. Like all methods of influencing incoming traffic, it can always be overridden by the routers in other AS’s.

Take a look at the relevant lesson below for more information:

I hope this has been helpful!


1 Like

for this issue: Deny prefixes that originated from AS 56203 and permit everything else
why cant we use
ip as-path access-list 1 deny ^56203$ <-- then you are only matching an AS path that only has 56203 in it and nothing else
ip as-path access-list 1 permit .*

Please advise. Thanks

I think I got it. Cant use ^ coz it means it has to be a directly connect AS or the 1st AS in path.
Am i right ?

Hello Sahil

Yes you are correct. When you use the “^” you are indicating that ONLY this AS is being matched. However, using _56203$ you are matching strings that END with 56203 which means that such prefixes ORIGINATED from AS 56203.

I hope this has been helpful!


I did try to run some of the examples. I unfortunately got the issue in the printscreen attached. When I copy/past a command in the telnet windows, all spaces are removed, except the one after “show”.

Hello Maodo

This may have something to do with the way in which the windows Command Line application interprets the spaces copied from a web page. If you want to copy and paste commands, I suggest you first paste them into Notepad, make sure they are correct, and then copy them from there and paste them into the command line. This will ensure that the spaces are correctly interpreted and pasted. Alternatively, you can simply type the commands in.

I hope this has been helpful!


Issue solved.

Telneting does allow only the show route command. Pasting any other show command does recognize only show, then one space, and the concatenation of all the following words (without keeping spaces between them).

Telnetting did allow me to try all the commands in the article.


Thanks I wanted ask the same question :slight_smile:
Why the administrator had to deny the show ip bgp command?..maybe it is no longer a Cisco IOS

Hello Giovanni

I’m not sure I understand your question. Can you clarify?


I asked if has an os different from Cisco iOS.
Because the commands typed by Rene not longer work.

Hello Giovanni

Thanks for clarifying. I was able to log in to the device and was able to execute these commands including the show ip bgp command. Also, the show version command shows the following output:>show ver
Cisco IOS Software, 7200 Software (C7200-SPSERVICESK9-M), Version 12.2(33)SRE4, RELEASE SOFTWARE (fc2)
Technical Support:
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Mon 30-May-11 03:09 by prod_rel_team

ROM: System Bootstrap, Version 12.3(4r)T3, RELEASE SOFTWARE (fc1) uptime is 5 years, 51 weeks, 1 day, 9 hours, 17 minutes
System returned to ROM by reload at 02:57:26 UTC Tue May 6 2014
System restarted at 03:03:14 UTC Tue May 6 2014
System image file is "disk2:c7200-spservicesk9-mz.122-33.SRE4.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command

I was able to Telnet in without any passwords or other credentials. Which other specific commands are not working for you?


Sorry I was wrong, the router is the same that Rene used for this lesson, is

Hello Giovanni

Yes, I see, the list of available commands has changed, and it may be that the OS of the device has also changed. I will let Rene know to update the lesson contents.

Thanks for pointing this out!